LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-28-2009, 03:19 PM   #1
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Rep: Reputation: 0
using OpenVPN for specific application(s)


Hello everyone,

I am subscribed to unblockvpn.com service and I am using their openvpn but I need to know if I can use this service to be applied to certain application not to the whole internet traffic. Can I?

I hope my question is clear.

Thank you.
 
Old 06-28-2009, 03:29 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
You might be able to accomplish this with policy-based routing and split tunneling.
 
Old 06-29-2009, 08:11 AM   #3
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Original Poster
Rep: Reputation: 0
Thank you osor, I googled "policy-based routing" and got some tutorials but I didn't understand what to do with them and it seems to be dangerous I am afraid that if used them I'll corrupt my current internet connectivity. So if you can help me by guiding me through the right commands to apply I'll be thankful.

If I played with those tutorials can I get back my previous configuration? How?

I appreciate your concern.
 
Old 06-29-2009, 07:31 PM   #4
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by amaj1407 View Post
If I played with those tutorials can I get back my previous configuration?
It depends on the tutorial. You should probably test out non-permanent commands. That way, it all else fails, you can simply reboot and have a pristine routing table.

In terms of specifics steps to take, it isn’t as hard as it sounds. Normally, with openvpn, you use the config option redirect-gateway so that the helper scripts will write the default route to be tun0 (i.e., all traffic routed through the tunnel). Instead, you want selective packets going through.

This is roughly what you would do:
  1. Get rid of that option.
  2. Start openvpn. You should not be able to access anything through the tunnel.
  3. Create a separate routing table called “openvpn” with the commands
    Code:
    echo "100	openvpn" >> /etc/iproute2/rt_tables
    For this step, make sure that the number 100 isn’t already taken. Also, this step (unlike the others I describe) is permanent. It should not, however, change what a routing table looks like after reboot (unless you already have some conflicting policy routes).
  4. Add the default route to openvpn. This depends on how your openvpn server is configured. Here’s a guess (replace 123.123.123.123)
    Code:
    ip route add default via 123.123.123.123 dev tun0 table openvpn
  5. Add a fwmark policy to the route
    Code:
    ip rule add fwmark 42 table openvpn
    The number 42 is also just chosen to be unique. Hopefully you don’t already have any fwmark-based rules.
  6. Use iptables to filter some packets and mark them. This is the most subjective part. Basically, you will need some way to match those packets you want tunneled. For example, you might create a user named tunnel_me. Then, use a rule like the following:
    Code:
    iptables -t mangle -A OUTPUT -m owner --uid-owner tunnel_me -j MARK --set-mark 42
    and any program that tunnel_me runs will have tunneling applied.
  7. See if it works. If so, automate it so it works all the time.

Last edited by osor; 06-30-2009 at 02:19 PM. Reason: oops, typo in iptables command
 
Old 07-02-2009, 11:56 AM   #5
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Original Poster
Rep: Reputation: 0
osor I am truly sorry I could not reply because I faced some issues with my laptop but here what I tried after I connected to the service with commenting out "redirect-gateway" from the file I got from unblockVPN.com:

The Steps I did:
Code:
echo "100       openvpn" >> /etc/iproute2/rt_tables
ip route add default via 77.78.108.129 dev tap0 openvpn
ip rule add fwmark 42 table openvpn
iptables -t mangle -A OUTPUT -m owner --uid-owner tunnel_me -j
MARK --set-mark 42
But it seems to have no effects, so I appended the file I got from their website:

file: unblockvpn.ovpn
Code:
proto tcp-client

remote eu.finevpn.com 443 # non-stadard port for OpenVPN, you can also use port 443 if it is better for you
dev tap

nobind
persist-key

tls-client
ca unblockvpn-ca.pem # Root certificate in the same directory as this configuration file.
ns-cert-type server


verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass

#redirect all traffic through openVPN tunnel
redirect-gateway

#if connection is terminated, it will attempt to connect without promting username and pass
auth-retry nointeract
output of openvpn with the configuration taken from unblockvpn.ovpn
Code:
Thu Jul  2 18:12:38 2009 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jul  2 18:12:38 2009 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Thu Jul  2 18:12:38 2009 Local Options hash (VER=V4): 'b60e7885'
Thu Jul  2 18:12:38 2009 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Thu Jul  2 18:12:38 2009 Attempting to establish TCP connection with 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TCP connection established with 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TCPv4_CLIENT link local: [undef]
Thu Jul  2 18:12:42 2009 TCPv4_CLIENT link remote: 81.0.217.77:443
Thu Jul  2 18:12:42 2009 TLS: Initial packet from 81.0.217.77:443, sid=525d754d e12311ee
Thu Jul  2 18:12:43 2009 VERIFY OK: depth=1, /C=CZ/O=UnblockVPN.com/CN=UnblockVPN.com
Thu Jul  2 18:12:43 2009 VERIFY OK: nsCertType=SERVER
Thu Jul  2 18:12:43 2009 VERIFY OK: depth=0, /C=CZ/O=UnblockVPN.com/CN=eu.unblockvpn.com/emailAddress=info@unblockvpn.com
Thu Jul  2 18:12:44 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul  2 18:12:44 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul  2 18:12:44 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul  2 18:12:44 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul  2 18:12:44 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jul  2 18:12:44 2009 [eu.unblockvpn.com] Peer Connection Initiated with 81.0.217.77:443
Thu Jul  2 18:12:45 2009 SENT CONTROL [eu.unblockvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Jul  2 18:12:45 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 77.78.108.129,ifconfig 77.78.108.254 255.255.255.128'
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: route options modified
Thu Jul  2 18:12:45 2009 TUN/TAP device tap0 opened
Thu Jul  2 18:12:45 2009 /sbin/ifconfig tap0 77.78.108.254 netmask 255.255.255.128 mtu 1500 broadcast 77.78.108.255
Thu Jul  2 18:12:45 2009 /sbin/route add -net 81.0.217.77 netmask 255.255.255.255 gw 192.168.100.1
Thu Jul  2 18:12:45 2009 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jul  2 18:12:45 2009 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 77.78.108.129
Thu Jul  2 18:12:45 2009 Initialization Sequence Completed
I forgot to mention that the user tunnel_me is already created.
So please guide me to figure out what I missed.

Thank you again.

Last edited by amaj1407; 07-02-2009 at 12:20 PM. Reason: forgot to mention something
 
Old 07-03-2009, 05:10 AM   #6
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Original Poster
Rep: Reputation: 0
please can any one help me?
 
Old 07-03-2009, 06:06 PM   #7
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by amaj1407 View Post
But it seems to have no effects
You have to be more specific. Do you mean that all the traffic is flowing through the tunnel? Or none of it? You also have to some information about routing tables before and after running. For example, what does your pristine routing table look like (before running openvpn or executing any of those commands I told you about). It would be the output of “ip route” (although the route command also works).
Quote:
Originally Posted by amaj1407 View Post
file: unblockvpn.ovpn
Code:
ip route add default via 77.78.108.129 dev tap0 openvpn
You seem to have forgotten the “table” specifier.
Quote:
Originally Posted by amaj1407 View Post
file: unblockvpn.ovpn
Code:
dev tap
In my experience, tap devices have been hard to firewall. You would be better off setting this to tun.
Quote:
Originally Posted by amaj1407 View Post
file: unblockvpn.ovpn
Code:
redirect-gateway
This has not been commented out as you described.
Quote:
Originally Posted by amaj1407 View Post
output of openvpn with the configuration taken from unblockvpn.ovpn
Code:
Thu Jul  2 18:12:45 2009 SENT CONTROL [eu.unblockvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Jul  2 18:12:45 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway 77.78.108.129,ifconfig 77.78.108.254 255.255.255.128'
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul  2 18:12:45 2009 OPTIONS IMPORT: route options modified
Thu Jul  2 18:12:45 2009 TUN/TAP device tap0 opened
Thu Jul  2 18:12:45 2009 /sbin/ifconfig tap0 77.78.108.254 netmask 255.255.255.128 mtu 1500 broadcast 77.78.108.255
Thu Jul  2 18:12:45 2009 /sbin/route add -net 81.0.217.77 netmask 255.255.255.255 gw 192.168.100.1
Thu Jul  2 18:12:45 2009 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Thu Jul  2 18:12:45 2009 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 77.78.108.129
It seems you have been given the tunnel address 77.78.108.254/25 with the default route 77.78.108.129. This is added to the main routing table, so I expect that all traffic is going through the tunnel. You will either need to stop/modify the openvpn scripts from doing this (if commenting out the default route didn’t work) or write some sort of a wrapper script which saves and restores the default route. This would also be handy if the new gateway address always changes (so you can relocate step 4 to this script). Code for the script might look something like:
Code:
#!/bin/sh

save=$(ip route list match 0/0)
openvpn --config /etc/openvpn/unblockvpn.ovpn
new=$(ip route list match 0/0)
ip route del 0/0
ip route add $save
ip route add $new table openvpn
 
Old 07-03-2009, 06:33 PM   #8
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Btw, I did not say so explicitly, but step 3 should not be performed more than once (even after rebooting), since you are writing to a persistent file (namely /etc/iprotue2/rt_tables). Technically, you don’t need to do this, but it makes life easier to talk about the “openvpn” table rather than to “100” table. So make sure (in a text editor) that this file has only one line equating 100 and openvpn.
 
Old 07-03-2009, 10:13 PM   #9
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Original Poster
Rep: Reputation: 0
I meant by "no effects" that there are no traffic go through the tunnel, it acts like if I didn't run openvpn.

Quote:
You seem to have forgotten the “table” specifier.
I didn't forget but I copied the wrong command, sorry my bad.

Quote:
This has not been commented out as you described.
Yes I already commented out "redirect-gateway" when I did those steps but I appended the original file - which has that line uncommented -. The first step, which is
Code:
echo "100       openvpn" >> /etc/iproute2/rt_tables
I only applied it once even after rebooting I didn't apply it. Also there is only one line with 100 in /etc/iproute2/rt_tables.

I'll show the routing table before and after running openvpn.

Before running openvpn:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.100.1   0.0.0.0         UG    0      0        0 eth1

After running openvpn with commenting out "redirect-gateway":
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
net-77-78-108-1 *               255.255.255.128 U     0      0        0 tap0
192.168.100.0   *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.100.1   0.0.0.0         UG    0      0        0 eth1
from this table I see that openvpn created a default route for tap0 device but it didn't affect eth1 device witch is only connected to internet. So how to make tap0 speak to eth1?


After running openvpn without commenting out "redirect-gateway":
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
eu.finevpn.com  192.168.100.1   255.255.255.255 UGH   0      0        0 eth1
net-77-78-108-1 *               255.255.255.128 U     0      0        0 tap0
192.168.100.0   *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         eu-129.finevpn. 0.0.0.0         UG    0      0        0 tap0
The $save and $new in the script you supplied are the same without running openvpn or running it with commenting out "redirect-gateway", so they may not help but they differ when running openvpn without commenting out.

in the first 2 cases - which are without running openvpn or running it with commenting out "redirect-gateway" - the result of
Code:
ip route list match 0/0
is
Code:
default via 192.168.100.1 dev eth1
but with the third case -running openvpn without commenting out- the result is
Code:
default via 77.78.108.129 dev tap0

Thank you for your kindness and patience.
 
Old 07-05-2009, 09:28 AM   #10
amaj1407
LQ Newbie
 
Registered: Jul 2008
Posts: 17

Original Poster
Rep: Reputation: 0
can any one help?
 
Old 07-05-2009, 02:10 PM   #11
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 70
Quote:
Originally Posted by amaj1407 View Post
can any one help?
Common netiquette dictates that when bumping your own thread, indicate some details about what you have done in the meanwhile. You have two posts that are 35.25 hours apart, yet you have not detailed any further experimentation possibly performed in this time frame! For example, have you tried using the TUN driver (rather than TAP)? Have you tried saving and restoring the route when using the uncommented config file?

From all I can see, it should be working correctly, unless I am missing something simple. You can always try further experimentation, such as blackholing the openvpn table to make sure that tunnel_me’s traffic actually flows through it, or adding some logging rules to iptables. If you can’t get it to work, you can always try virtualization, though in this case, it seems like overkill.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
click a file to launch in a specific application mshryane Linux - Newbie 8 05-11-2009 09:24 AM
Tip: Loading specific gtk theme for a specific application Su-Shee Linux - Desktop 0 05-22-2008 12:59 PM
Has any one ported userland application OpenVPN into kernel land.? raga4223688 Linux - Software 1 02-17-2007 06:57 AM
Running an application at startup for a specific user wittyguysuku Linux - General 4 09-21-2006 03:44 AM
How to turn Linux into a Specific application zbarnes Linux - Newbie 13 04-15-2005 01:42 AM


All times are GMT -5. The time now is 09:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration